Franken Bill Would Protect Consumers Location Data

GovTechGuy writes "Sen. Al Franken (D-Minn.) unveiled a new bill on Wednesday that would require firms like Apple and Google to obtain consent from consumers before collecting or sharing their smartphone location data with third parties. The bill would cover all mobile devices including tablets and require firms to inform consumers when they collect their data and allow them to delete it when requested."

eula

Very cool! I love clicking "I accept" on EULAs!

Re:eula

[i+kan+reed]

You missed the second part. You can tell them to delete your location information, and they'd be compelled by law to do so. That would definetly be different.

Re:EULA

[lrobert98]

Perhaps. But at least they'll have to explicitly state that they're collecting the data and also tell you how they're sharing it. They'll also have to give you a way to delete your data. It's a big step in the right direction.

Re:eula

[Jabrwock]

Unless they have a warrant from law enforcement. Then they can ignore the request to delete.

Re:eula

[sexconker]

And they still wouldn't delete it.
If a user tried to sue, they'd say all their records were "anonymized", and thus no one user can claim any damages because they can't prove their records were used against their wishes.
If any group of users tries to start a class action, they'll point to the bullshit arbitration clause (no class action suits) in the EULA.
If a state tries to protect consumers and say "that clause is illegal", they'll just buy off the supreme court of the state.

(Protip: All of these things have already happened.)

Re:eula

But doesn't deleting your location information erase you from existence?

Re:eula

But ... but ... that's communism!

Re:eula

[i+kan+reed]

I think in general, if you're concerned about warranted seizures of your information, you've got a lot else to worry about in the near future. I'm not sure I see the problem.

Re:EULA

[HTH+NE1]

Indeed, let us know when a bill prohibits the prostitution of our personal information for services.

Re:EULA

[whoever57]

But at least they'll have to explicitly state that they're collecting the data and also tell you how they're sharing it.

They will put this at the bottom of a 50-page EULA that no-one reads past the first page anyway.

They'll also have to give you a way to delete your data. It's a big step in the right direction.

This is a big step, but the fact that it doesn't apply to law enforcement makes its utility very limited.

Re:eula

[werewolf1031]

It's frightening to me how many people just don't (or refuse to) understand the heart of the problem, in that they are perfectly willing to let every tiny freedom slip away one at a time because "that doesn't affect me right now".

You may be the favored demographic today, but as political leaders change, and, more importantly, laws change, you may find a bulls-eye on your back tomorrow when someone in power doesn't like something you say or do that was, yesterday, considered perfectly harmless.

I would even go one step further and argue that someone who truly "has nothing to hide/fear" is part of the problem, and probably would never understand why.

Re:eula

[i+kan+reed]

What?

Here is what a warrant is.

You have actively been suspected of wrongdoing. The reasons why you might be suspected have been presented to an impartial(at least in theory, this part could always use work) judge. That judge, upon reviewing those reasons has determined that you should be investigated for possibly committing a crime. At this point you are not convicted, but data like this could be used to show whether you have done something or not. Then you get a day in court, to defned against this evidence.

If actual evidence points to wrongdoing, you aren't in a position to claim that the data was irrelevant spying or a fishing expedition by corrupt police. A warrant means you're already under suspicion for a specific crime.

It's not letting your rights slip away to allow the subpoena of evidence as part of due process.

Warrantless wiretapping: yes that's bad
Detaining prisoners without habeus corpus: downright treasonous
Torturing anyone: inhuman
Collecting evidence with a warrant: part of a sane society that supports the rule of law

Govt.?

[Joehonkie]

Does "third parties" include the government?

Re:Govt.?

[Alternate+Interior]

Exactly. Somehow it seems like The FBI (http://www.wired.com/threatlevel/2010/10/fbi-tracking-device/) should have a problem with this legislation.

Re:Govt.?

[Jabrwock]

No. The bill explicitly states that it does not affect collection of data by law enforcement, or transfer of location data to law enforcement.

That's covered under a different bill.

http://franken.senate.gov/files/docs/110614_The_Location_Privacy_Protection_Act_of_2011_One_pager.pdf

Re:Govt.?

[blair1q]

It's covered under the 4th Amendment, unless the data are visible to the public, which Franken's bill will allow users to prevent.

We need another Al Franken decade.

Re:Govt.?

[Jabrwock]

That's debatable, and several courts have allowed things like location trackers without warrant, and the searching of cell phones and computers. There's a new bill in the works to explicitly require warrants for electronic surveillance.

Re:Govt.?

[JordanL]

As much as I think it should be, it is by no means obvious that knowledge of a particular person's current or past locations constitutes a "search or seizure".

Sure it's easier with a database, but police don't need a warrant to go to the coffee shop and as "has Joe Blow been here recently?" nor should they. I think this is a much more genuine debate than most people see it as, although I don't think having complete information of past locations is the same, and thus should be subject to a warrant and judicial oversight. I'm simply pointing out that it's not crazy to consider this merely and extension of what has been happening with location and the police for over 100 years.

Re:Govt.?

[JordanL]

I didn't notice at first, but you and me had a conversation over a similarly charged topic yesterday. I just wanted to say, in regard to that, that while I think you were too absolutist, you made several good points, and I hope you don't simply respond with anger to this particular comment.

Re:Govt.?

[camperdave]

Al Franken? I thought that a Franken bill was a bill with all sorts of unrelated riders on it; from the story of Frankenstein's monster.

Re:Govt.?

[blair1q]

You're specifying a case there that misses the point a little.

Going to the coffee shop is public data.

What rooms you spend the most time in at home is not, unless you give someone permission to upload your GPS data it to the web for others to see. (and yes, even with GPS's shitty accuracy it's possible to figure that out, statistically)

Re:Govt.?

[blair1q]

And I thought it was part of a blue-plate special with beans as a double-bill.

Re:Govt.?

[kenrblan]

I had the exact same thought and was reading comments to make sure I wasn't the only one.

Re:Govt.?

Does "third parties" include the government?

Great question!

Re:Govt.?

[JordanL]

Which I agree with. I think that cell phone location data should be a case that requires a warrant for that reason.

Re:Govt.?

[MikeBabcock]

I only use phone apps that collect my location by cell network. I don't allow fine-grained GPS information except to my GPS navigation software. I don't see the need for to-the-meter accurate data about my location to serve me appropriate advertising.

Re:Govt.?

[simmonsjeffreya]

The real question is, why only third party companies? This bill should be worded to require consent to share the data with anyone, including whoever produced the device. There is no reason they need this data and it is an intrusion into the privacy of the individuals who were dumb enough to purchase a product from them.

EULA

[StripedCow]

Those companies will just make it part of the EULA, which you'll have to accept anyway to use the app.

Um....

The iPhone already requires user consent before apps can use location data. It's awesome when government tries to design software.

Re:Um....

Yes, but it DOESN'T require your consent when it sends that location information, along with a unique device identifier, back to Apple.

And if you think I'm referring to that whole thing a while back about how your iPhone "track you" in a secret file, I'm not. It turns out that whenever anything looks up a location on your iPhone - and this includes things like the camera! - the iPhone will look for nearby WiFi sites, and then upload your GPS coordinates along with a list of WiFi sites to Apple. This is sent along with an "anonymous" unique device ID.

You can't opt out of that. Well, you can if you disable location services entirely for the entire phone. But if you're going to do that, you might as well get a cheaper phone that has no GPS.

But even if you go that route with the iPhone, even with location services off, Apple still tracks your IP and uses geolocation services to determine your location if you use any app that uses iAd. And, again, you CAN'T opt out of this.

Not sure why they mention Google...

[Sierra+Charlie]

Location sharing in Android is already opt-in, with a per-app or per-website granularity.

Re:Not sure why they mention Google...

And Apple doesn't share with third-parties. But this is a proposed law to keep things that way.

Re:Not sure why they mention Google...

[lrobert98]

But the OS itself is doing it.

Re:Not sure why they mention Google...

[tripleevenfall]

I think the law should be written to say that there must be an additional opt-in, beyond location services, if your location data is going to be stored or uploaded off your device.

Re:Not sure why they mention Google...

[blair1q]

If by "opt-in" you mean "opt-in or this app won't work even though it's not obvious at all why a game involving flinging birds at pigs would require such a thing..."

Re:Not sure why they mention Google...

[wumpus188]

If you're talking about Angry Birds on Android, "coarse location data" is AdMob requirement.

Re:Not sure why they mention Google...

As someone who has developed with Admob, that's only true if they specifically decide to gather it to target the ads further, AdMob works just fine without.

Re:Not sure why they mention Google...

[blair1q]

Angry Birds works just fine in Airplane mode. Doesn't even put up a blank box where the ad it fails to fetch would go.

Re:Not sure why they mention Google...

[MikeBabcock]

That's also opt-in.

The phone asks when its first activated if you wish to allow it, and you can disable it at any time from within the preferences.

You can also tell it not to use the GPS receiver and only track your location by cell network.

Re:Not sure why they mention Google...

[Asdanf]

Today most browsers that can expose location prompt the user before doing so. It sounds like this bill would require the websites to also obtain explicit permission, meaning to share your location you would always have to click "ok" twice in a row. Seems like a pain; why not continue to rely on the core browser/OS to manage these permissions?

Re:Not sure why they mention Google...

[thegarbz]

But it's disabled out of the box.

It is also opt-in, and the first time you activate it you get a warning about the info sharing, and you have the option to turn it off whenever you see fit.

To be buried in EULA

[DaveSlash]

Yeah, read all about it in the EULA.

This is how you get paid.

Good job, Franken. Enjoy your well planned change of heart driving your new BMW.

Re:This is how you get paid.

At least here's one Minnesotan politician that isn't a constant embarrassment to his state (*cough* Bachman *cough* Pawlenty).

Would you like to allow X to check your location?

[PickyH3D]

In the best case scenario, the OS keeps track of requests for location by apps and guarantees that the first request is always preempted by a user dialog.
In an almost worst case scenario, the OS depends on static analysis and misses dynamic calls (reflection where available) and side loaded applications that are filled with trojan functionality.
In the worst case scenario, the OS maker buries the consent in the Terms of Service.

I believe that every application on iOS already faces the best case, but it may be through static code analysis.

I think that Android does static analysis and I know that it mentions it in the installer, but I'm not sure how they figure it out other than static analysis (maybe a config file like WP7).

WP7 requires a flag be set by the application at a configuration level to have access. If it is flagged, then the request is made to the user. Without the flag, the application cannot request location details.

Regardless, I feel like this is just another thing that really is not necessary for a law to be in place about. Especially not in the manner that it is phrased. That just begs for a single line in the ToS.

FrankenBill

[Culture20]

Do not expose it to fire. "It's Alive!"

Re:FrankenBill

[blair1q]

I bet it's got an enormous codocil.

Re:FrankenBill

[mangu]

When I saw the title I thought they had merged bits and pieces of several dead bills.

define "collecting"

[Frequency+Domain]

Apple had the data on the device and included it in a readable format in backups to your sync machine, but they weren't "collecting" it in any meaningful sense of the word. The info wasn't being sent back to Apple or to third parties without consent, it was used as a cache to speed local operations. Is caching now considered collecting?

Re:define "collecting"

[Jabrwock]

Apple had the data on the device and included it in a readable format in backups to your sync machine, but they weren't "collecting" it in any meaningful sense of the word. The info wasn't being sent back to Apple or to third parties without consent, it was used as a cache to speed local operations. Is caching now considered collecting?

Good question. It seems the bill forbids the company from collecting the data from the phone, but there's nothing stating that the phone can't keep on recording that data.

Re:define "collecting"

[LoganDzwon]

technically, it wasn't actually the users location either, just the location and last date seen of cell towers.

Re:define "collecting"

[Anubis+IV]

While the data you specified was indeed a cache that was not being uploaded to Apple or third parties, Apple did confirm elsewhere that they do collect location data in order to crowd source the effort of locating Wi-Fi hotspots. They also mentioned that they are building some sort of automobile traffic monitoring service.

That said, I don't see how this bill would change much. The data Apple is sent is anonymized, and they only collect it if you agree to turn on Location Services. Likewise, third parties don't have access to your location unless you grant them explicit access. I don't use Android, but I was under the impression it did something similar. Aside from the clause about being able to delete your data, which likely won't apply if the data is anonymized, the summary here doesn't indicate a change from the status quo.

At least, not as I understand it, but I'm sure someone can point out if I'm wrong.

Re:define "collecting"

[sexconker]

Cache comes from the Latin cogere. To collect. A cache is a collection.
The modern (bastardized by the French) usage of a cache adds "hidden" to the meaning.

Apple storing location data in a specific location it knows about and consumers don't (or don't have access to / full control over) is both collecting it and hiding it.
They may not be retrieving that information, nor may they have any intent to do so.
But they are collecting it.

Re:define "collecting"

[countertrolling]

...they weren't "collecting" it in any meaningful sense of the word.

How do you know?

Re:define "collecting"

[mkremer]

Actually it could change something, if Apple is required to be able to delete the data on request then the data can not be anonymized. Unless the bill says that the requirement to delete data on request does not apply to anonymized data.

Huge Kudos!

[Lou57]

This legislation is a breath of fresh air in a world where people buy and sell information about me for their marketing purposes. Let me add to this though ...

I hope that this legislation will require that this consent must be obtained outside a standard EULA.
I hope that this legislation can be extended to ANY device that tracks my location, such as future cars.
I hope that this legislation can be extended to REQUIRE a warrant before any one can provide this information to the government.

I dont have a problem with

[nimbius]

Franken Bill, so long as its in by 8:00 and not rampaging through downtown like Franken Stein.

Re:I dont have a problem with

Franken Stein has been running amok since the Nixon administration collapsed. Thankfully he's (mostly) focused on being entertaining more than creating public policy.

Great idea!

He's good enough, he's smart enough, and dog gone it...PEOPLE LIKE HIM!!!

Re:Great idea!

No they don't.

About Al

[JBMcB]

Not to threadjack, but if we're talking about Sen. Franken...

Al Franken reads the 4th Amendment to a justice department official defending the PATRIOT act:
http://www.youtube.com/watch?v=6A8A7hsDOAw

Al Franken's recent vote on extending the Patriot Act (from Project VoteSmart)

02/15/2011 Extension of Various Patriot Act Provisions HR 514 Y Bill Passed - Senate

That Y means Yea.

??

Re:About Al

[blair1q]

Not to logicjack but "various provisions" is not an extension of all provisions, and his point in reading the 4th amendment may not have applied to the whole act.

It's also possible (though never very sightly) that he voted quid for some pro quo elsewhere. That's how representative government works. It'd gridlock otherwise.

Re:About Al

Even if his vote was "I consent" instead of "I agree", that still means he consented to the bill. This is something that deserves vehement opposition, not a tepid rant followed by capitulation.

Re:About Al

[p0p0]

Y means Yea.? I would have thought it meant Year. Interesting.

Re:About Al

[geekmux]

Even if his vote was "I consent" instead of "I agree", that still means he consented to the bill. This is something that deserves vehement opposition, not a tepid rant followed by capitulation.

Exactly. The only "extension" to any part of the "Patriot" act should be to extend the staples holding it together before it gets tossed into the shredder...never to be brought up again.

Re:About Al

[Mongoose+Disciple]

Deserves, yes.

Unfortunately, we still live in an America in which someone who votes against the Patriot Act will be demogogued in the next election as being "soft on terrorists" and not caring enough about the safety of Americans.

Also unfortunately, we get the government we deserve as a people.

Re:About Al

that he voted quid for some pro quo elsewhere. That's how representative government works. It'd gridlock otherwise

Which means votes can be bought. Either thru favors, the buddy system, or just not bothering to read the bill and looking to what the 'leaders' are doing ("lets pass this and see what we get").

That is what you get. Vote buying. To the highest bidder. Do not tolerate it from your representatives even when you did/didnt vote for them.

Re:About Al

[blair1q]

Of course they can be bought. Nominally they're bought by the voters, who pay by returning the guy to congress for particular legislation. But voter votes are bought by the representative, either by voting for particular legislation or trading for votes that get particular legislation through while losing other legislation.

It's not a bad system; it's just more complicated than "shut up and raise your hand the way we tell you to or we won't vote for you in November". It's what you get for boiling the results of 2-6 years of work down to For or Against on election day.

If your guy is unwilling to compromise and trade, he becomes a predictable sucker, and when he really wants something done he will be alone in wanting it, and his stance as an iconoclast isn't worth a handful of navy bean soup in the history of lawmaking.

Re:About Al

[LordLucless]

It'd gridlock otherwise

Sounds good to me. Haven't heard of any legislations passed recently that actually solves any problems held by the people of the United States. A government that does nothing, except in situations important enough to overcome partisanship, sounds almost ideal.

Does this cover car systems then?

[Fallen+Kell]

Just wondering what the definition of "mobile device" was, since many cars have been collecting location data now that many have GPS systems in them for a while.

Re:Does this cover car systems then?

[unil_1005]

car, segways, motorcycles, airplanes (general aviation), etc.

So the collection cannot be anonymous?

[juancn]

I'm not sure this is a good thing. If the y have to let you delete it, they have to know it's your data.

Right now, collection is anonymous, that is, it is not tagged with your identity. If they must let you delete it, anonymity goes out the window.

Re:So the collection cannot be anonymous?

[HTH+NE1]

The data could be associated to a non-reversible hash of identity information disclosed only to you. You tell them to delete all data associated with the hash. Technically it isn't anonymous, it's pseudonymous: the hash is your pseudonym.

Anyone else read this as bad?

[msobkow]

My first thought was Frankenfood, Frankenstein, etc. Didn't realize until I RTFA that it's the guys name. *LOL*

Re:Anyone else read this as bad?

[Megahard]

Franken Stein - what Al Franken drinks beer from.

Frankenbill?

[dotfile]

Am I the only one who expected to see a bill made up of recycled bits and pieces of old bills, stitched together and brought back to life in a midnight session?

Data Anonymization Exemption?

[Jahava]

I like the disclosure aspects of the bill, but I hope it doesn't hinge on the personal aspect of the data. If data that has undergone anonymization can still be used without consent, then this bill might as well not exist.

One of the easiest things possible is to de-anonymize anonymous location data sets. I suspect that looking at:

• Overall geographic affinity
• Most frequently visited locations (e.g., home and work)
• Consistently-visited outliers

... would provide more than enough data to positively identify almost any human in the world. Honestly probably just the (work, home) tuples could identify 95% of us.

The *consent* will be buried in the EULA

[andi75]

Asking for consent is absolutely meaningless. In order to get security updates, you'll have to accept the new EULA and will be forced to agree to whatever they ask.

The only way out is to make it illegal to store any more data then is absolutely necessary (e.g. a train time table app only needs your location *now* to find the nearest station, but has no business of retaining that data) for the normal operation of the application.

Re:The *consent* will be buried in the EULA

[Dahamma]

Yeah, it immediately reminded me of the 40+ page EULA I had to agree to just to update my already-purchased-apps from the iTunes store. Not to mention they seem to update this absurd EULA about every week, asking you to approve it every time. I'm pretty sure I have now agreed to become a human centipede.

What Franken *should* be doing is passing legislation that makes any EULA that can't reasonably be expected to be read by the average consumer (say, a 40 page document displayed on an iPhone screen and updated once a week) invalid and unenforceable...

OK for Government, but Not Private Industry

[Pauldow]

So they want to restrict private companies from collecting and sharing someone's location data, yet the federal government is planning on implementing a rule that requires someone flying in a private plane to have a verified and approved security threat before they will prevent the government's location tracking to be made public. http://www.nbaa.org/ops/security/barr/20110318-barr-bolen-aopa.php
This is referred to as the TMZ bill since it will allow paparazzi to know the location of celebrities. It will also allow companies to learn where their competitor's aircraft are.

There's just one more step before toll transponder information is made public too.

Good

Thank you for info. http://exercisesto-reducetummy.com/articles/abb-workouts/the-great-abs-mistake/

why stop at mobile?

[sixsixtysix]

why stop at mobile?

Al Franken -- Moron

[davesmall]

What a friggin moron. Get Al Franken out of Congress at the first opportunity. He doesn't belong there.

who exactly should we be targeting?

All I can see is that I made 1 political donation, and now the FCC posted my information, name, address, age, political affiliations, and an insight into my financial status (how much I donated is how much disposable income I had at that time,) all over the internet for anyone to see. At no time was I warned that this would happen, nor did I opt in.

I've opted into Google's services, and not 1 shred of my information shows up from that on the internet.

I can't comment on Apple as I haven't given them the opportunity.

Who exactly is the biggest threat here??

Government: If you think the problems we create are bad, just wait till you see our solutions.

A Frankenbill?

[jandersen]

Has it been stitced together from badly matching parts, equipped with the brain of a psychotic killer and brought to life with a bolt of lightning?

Disclaimer: I didn't read TFA, so I am jusr exercising my inalienable right to shoot off my mouth without checking facts.

What? WHAT?! Frankenberry?

I swear I read: Frankenberry would protect consumers location data.

A quick wikipedia lookup shows that the telltale "Frankenberry Stool" would precisely indicate where you've been.

Re:Or not...

[thegarbz]

Funny you should mention this. On Android you get a separate EULA for the location tracking which you can disable at any time (or rather enable at any time since it comes disabled out of the box).

Lies and the Lying Liars Who Tell Them

[doperative]

" Lies and the Lying Liars Who Tell Them is a satirical book on American politics by comedian, political commentator and now Senator Al Franken, published in 2003 link - Amazon.com Review

Dear Congress...

That's our job. Quit trying to do it for us.
Sincerely,
Consumer.